ci: add security scan workflow#1305
Conversation
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
main, but PRs should target staged.
The main branch is auto-published from staged and should not receive direct PRs.
Please close this PR and re-open it against the staged branch.
You can change the base branch using the Edit button at the top of this PR,
or run: gh pr edit 1305 --base staged
There was a problem hiding this comment.
Pull request overview
Adds a new GitHub Actions workflow intended to standardize security scanning across repositories by running checks on pull requests and on a weekly schedule.
Changes:
- Introduces a PR-only dependency review job using
actions/dependency-review-action. - Adds a repo-wide grep-based secret scan intended to detect common credential patterns.
- Adds a “file permissions” job intended to catch overly permissive files, plus a weekly scheduled run.
| pull-requests: write | ||
| issues: write |
There was a problem hiding this comment.
Workflow-level token permissions are broader than needed and include issues: write even though this workflow never creates/updates issues. Consider least-privilege defaults (e.g., contents: read, pull-requests: read) and only granting pull-requests: write/issues: write at job-level when a step actually posts a comment/issue (especially important for PR events).
| pull-requests: write | |
| issues: write | |
| pull-requests: read |
| - uses: actions/checkout@v4 | ||
| - uses: actions/dependency-review-action@v4 |
There was a problem hiding this comment.
This repo appears to pin GitHub Actions by full commit SHA (e.g., .github/workflows/codespell.yml:16). Using floating tags like actions/checkout@v4 and actions/dependency-review-action@v4 weakens supply-chain security and makes runs non-reproducible. Please pin these uses: references to specific SHAs (optionally with a # vX.Y.Z comment).
| - uses: actions/dependency-review-action@v4 | ||
| continue-on-error: true |
There was a problem hiding this comment.
dependency-review-action is configured with continue-on-error: true, so dependency issues won't fail the workflow. This contradicts the PR description of adding a dependency review check on PRs; if this is intended to gate merges, remove continue-on-error (or configure the action to fail only above a chosen severity).
| echo "::warning::Potential secrets detected:" | ||
| echo "$FOUND" |
There was a problem hiding this comment.
The secret scan currently prints the full grep matches to the Actions log (echo "$FOUND"). If a real secret is present, this can further expose it in CI logs. Prefer redacting match contents (e.g., only output file:line without the matched substring) and consider failing the job (exit non-zero) so leaks can't be ignored.
| echo "::warning::Potential secrets detected:" | |
| echo "$FOUND" | |
| REDACTED_FOUND=$(printf '%s\n' "$FOUND" | sed -E 's/^([^:]+:[0-9]+):.*/\1/') | |
| echo "::error::Potential secrets detected at:" | |
| echo "$REDACTED_FOUND" | |
| exit 1 |
| - name: Check for overly permissive files | ||
| run: | | ||
| echo "Checking for world-writable or executable scripts..." | ||
| find . -type f \( -name "*.sh" -o -name "*.ps1" \) -not -path "*/.git/*" | while read f; do | ||
| echo "Script found: $f" | ||
| done | ||
| echo "✅ File permission check complete" |
There was a problem hiding this comment.
The "File permission check" job doesn't actually inspect permissions; it only lists *.sh/*.ps1 files and always succeeds. This doesn't implement the PR description's "File permission checks". Update the script to check mode bits (e.g., world-writable files and unexpected executables) and fail the job when violations are found.
Adds a standard security scan workflow with:
Part of governance standardization across repos.